Privacy & data handling
AccessProof scans a merchant's public storefront for accessibility issues and helps produce an accessibility statement. This page explains what data we process and how.
What we store
- The shop domain and the public storefront URL to scan.
- Accessibility scan results of public storefront pages only: rule IDs, WCAG criteria, CSS selectors, and truncated, secret-stripped HTML snippets of public markup.
- An optional contact email you provide for alerts.
- Shopify session/authentication tokens required to run the embedded app.
What we do NOT store
- No shopper personal data (PII). We scan public pages; we do not access carts, orders, customers, or checkout data.
- We do not inject any overlay or widget into your storefront.
EU data residency (GDPR)
Data is stored and processed in the EU. Our database (Supabase) and email provider (Resend) run in EU regions, and the application is hosted in the EU.
Subprocessors
- Shopify (app platform, billing)
- Supabase — database hosting (EU)
- Resend — transactional email (EU)
- EU cloud hosting for the application and scan worker
Data subject & compliance requests
We implement Shopify's mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact). Because we store no shopper PII, customer requests return no personal data. On app uninstall and on shop/redact, we delete the shop's data (scans, issues, jobs, statements, sessions).
Retention
We keep recent scans to show trends and detect regressions, and prune older data. As no PII is stored, retention risk is minimal.
Honesty about scope
Automated testing detects only a portion of accessibility barriers. AccessProof helps you find, fix, and document issues. It does not guarantee legal compliance and is not a substitute for manual evaluation.
Contact
Questions about data handling: [email protected].
Last updated: 2026.